Effects of Suppressing a Security Vulnerability Globally
Once a vulnerability is suppressed for one or more component versions at the global level, it is no longer visible in the Code Insight user interface or counted in vulnerability totals across Code Insight. The count reduction is evident on the dashboard for each project containing inventory associated with the suppressed vulnerability. The Vulnerabilities bar graphs in the user interface, as well as in subsequently generated API responses and reports (Project and Audit), do not reflect the suppressed vulnerability.
Likewise, the actual vulnerability is no longer visible in the list of vulnerabilities on the Security Vulnerabilities window (which is opened when you click a Vulnerabilities bar graph). However, you can view the suppressed vulnerability on the Global subtab of the Suppressed Vulnerabilities tab on the Data Library page (see Viewing Security Vulnerabilities Associated with One or More Component Versions at the Global Level).
The following describes the additional impact that a security vulnerability globally suppressed for one or more component versions has on other features across projects in Code Insight:
| • | Advanced Search on the Analysis Workbench, Project Inventory tab and Inventory View—When an inventory search is based the vulnerability name or severity, the results do not include any inventory item associated with the component version for which the vulnerability is suppressed. |
| • | Alerts—Any open alerts for the suppressed vulnerability are automatically closed, and the open and closed alert counts are adjusted on the Project Inventory tab, in the Analysis Workbench, and on the Inventory view. |
Note:If, after suppressing a vulnerability globally, you want to change the status or priority of the alert for an impacted inventory item in a given project see Working with Security Vulnerabilities.
| • | Policies—Once a security vulnerability is suppressed, no changes are initially propagated to those review policies that are based on vulnerabilities. However, each time one of these policies is triggered thereafter (that is, when an inventory item is published), the policy ignores the suppressed vulnerability when determining whether to automatically approve or reject the published inventory item. |
Important:A change in policy due to the suppression of a vulnerability does not change the existing approval/rejection status of a published inventory item unless the item is manually recalled and then republished.
| • | Subsequent scans and rescans—Once a vulnerability is suppressed, it is no longer reflected in the results of subsequent rescans and initial scans, whether incremental or full, across projects. |
| • | Vulnerability currently suppressed at project level now included in a global suppression—If a vulnerability suppressed at the project level is now included in a global-level suppression of the vulnerability, it is removed from the Project subtab and added to the Global subtab of the Suppressed Vulnerabilities tab on the Data Library page. In other words, the vulnerability remains suppressed for the specified component version in the project. However, it has been unsuppressed at the project level (and its exclusion analysis is deleted) and is now suppressed at the global level along with all other inventory associated with this same component version across projects in Code Insight. |